The article explains a significant security vulnerability in Kubernetes concerning the `nodes/proxy GET` permission. This permission, often granted to service accounts for accessing Pod metrics and logs, allows for unexpected command execution within Pods when using a connection protocol like WebSockets. The vulnerability arises because the Kubelet does not verify whether the necessary permissions for executing commands are present after the initial WebSocket handshake. As a result, anyone with access to this permission can execute commands in any Pod on reachable Nodes, potentially compromising the entire cluster. The vulnerability affects Kubernetes versions 1.34 and 1.35, and it has been deemed "working as intended," meaning no patch will be issued. The article identifies 69 Helm charts that rely on this permission, including popular tools like Prometheus, Datadog, and Grafana. Kubernetes administrators are advised to check their service accounts for this permission, as it can lead to severe security risks. The author provides a script for detection and outlines how an attacker could exploit the vulnerability using a tool like `websocat`. The article delves into the mechanics of the `nodes/proxy` resource. Unlike other Kubernetes resources that map to specific operations, this permission acts as a catch-all for Kubelet API access. It allows for proxying requests from the API Server to the Kubelet, facilitating operations like reading metrics and logs. The article illustrates how these requests can generate logs under certain conditions, but emphasizes that direct connections to the Kubelet API do not log executed commands, further complicating detection efforts.